vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025.
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025.
NetAlertX is a network, presence scanner and alert framework. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.